// Reverse engineer binaries using Ghidra's headless analyzer. Decompile executables, extract functions, strings, symbols, and analyze call graphs without GUI.
Use when a task requires shell-level work inside the sandbox, including environment setup, script writing, code execution, running programs, downloads, package installs, scanning, or browser/tool CLIs.
Use ProjectDiscovery httpx for authorized HTTP probing, live host validation, response triage, and lightweight web fingerprint collection.
Use observer_ward for authorized web application and service fingerprint identification against in-scope HTTP targets.
Use agent-browser-cli to perceive and control the supervised Chromium browser inside the sandbox, interact with pages, capture screenshots/PDFs, inspect cookies/CDP/network/console state, and troubleshoot only when needed.
Use for authorized SQL injection testing with the sqlmap CLI, including detection, DBMS fingerprinting, request replay, and extraction checks against in-scope web targets.
Use for authorized host discovery, port scanning, service/version detection, NSE script checks, network inventory, and local network diagnostics with the nmap CLI.
| name | ghidra |
| description | Reverse engineer binaries using Ghidra's headless analyzer. Decompile executables, extract functions, strings, symbols, and analyze call graphs without GUI. |
Perform automated reverse engineering using Ghidra's analyzeHeadless tool. Import binaries, run analysis, decompile to C code, and extract useful information.
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh/root/.agents/skills/ghidra/scripts/ghidra_scripts/usr/local/bin/analyzeHeadless| Task | Command |
|---|---|
| Full analysis with all exports | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./output binary |
| Decompile to C code | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output binary |
| List functions | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportFunctions.java -o ./output binary |
| Extract strings | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output binary |
| Get call graph | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportCalls.java -o ./output binary |
| Export symbols | /root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportSymbols.java -o ./output binary |
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh [options] <binary>
Always call the wrapper by absolute path. It handles project creation/cleanup and provides a simpler interface to analyzeHeadless.
Options:
-o, --output <dir> - Output directory for results (default: current dir)-s, --script <name> - Post-analysis script to run (can be repeated)-a, --script-args <args> - Arguments for the last specified script--script-path <path> - Additional script search path-p, --processor <id> - Processor/architecture (e.g., x86:LE:32:default)-c, --cspec <id> - Compiler spec (e.g., gcc, windows)--no-analysis - Skip auto-analysis (faster, but less info)--timeout <seconds> - Analysis timeout per file--keep-project - Keep the Ghidra project after analysis--project-dir <dir> - Directory for Ghidra project (default: /tmp)--project-name <name> - Project name (default: auto-generated)-v, --verbose - Verbose outputComprehensive export - runs all other exports and creates a summary. Best for initial analysis.
Output files:
{name}_summary.txt - Overview: architecture, memory sections, function counts{name}_decompiled.c - All functions decompiled to C{name}_functions.json - Function list with signatures and calls{name}_strings.txt - All strings found{name}_interesting.txt - Functions matching security-relevant patterns/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis firmware.bin
Decompile all functions to C pseudocode.
Output: {name}_decompiled.c
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportDecompiled.java -o ./output program.exe
Export function list as JSON with addresses, signatures, parameters, and call relationships.
Output: {name}_functions.json
{
"program": "example.exe",
"architecture": "x86",
"functions": [
{
"name": "main",
"address": "0x00401000",
"size": 256,
"signature": "int main(int argc, char **argv)",
"returnType": "int",
"callingConvention": "cdecl",
"isExternal": false,
"parameters": [{"name": "argc", "type": "int"}, ...],
"calls": ["printf", "malloc", "process_data"],
"calledBy": ["_start"]
}
]
}
Extract all strings (ASCII, Unicode) with addresses.
Output: {name}_strings.json
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportStrings.java -o ./output malware.exe
Export function call graph showing caller/callee relationships.
Output: {name}_calls.json
Includes:
Export all symbols: imports, exports, and internal symbols.
Output: {name}_symbols.json
# Create output directory
mkdir -p ./analysis
# Run comprehensive analysis
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o ./analysis unknown_binary
# Review the summary first with bounded reads
sed -n '1,160p' ./analysis/unknown_binary_summary.txt
# Look at interesting patterns (crypto, network, dangerous functions)
sed -n '1,160p' ./analysis/unknown_binary_interesting.txt
# Check specific decompiled functions
grep -A 50 "encrypt" ./analysis/unknown_binary_decompiled.c
# Specify ARM architecture for firmware
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh \
-p "ARM:LE:32:v7" \
-s ExportAll.java \
-o ./firmware_analysis \
firmware.bin
# Just get function names and addresses (faster)
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh --no-analysis -s ExportFunctions.java -o . program
# Parse with jq
jq '.functions[] | "\(.address): \(.name)"' program_functions.json
# After running ExportDecompiled, search for patterns
grep -n "password\|secret\|key" output_decompiled.c
grep -n "strcpy\|sprintf\|gets" output_decompiled.c
for bin in ./samples/*; do
name=$(basename "$bin")
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -s ExportAll.java -o "./results/$name" "$bin"
done
Common processor IDs for the -p option:
| Architecture | Processor ID |
|---|---|
| x86 32-bit | x86:LE:32:default |
| x86 64-bit | x86:LE:64:default |
| ARM 32-bit | ARM:LE:32:v7 |
| ARM 64-bit | AARCH64:LE:64:v8A |
| MIPS 32-bit | MIPS:BE:32:default or MIPS:LE:32:default |
| PowerPC | PowerPC:BE:32:default |
Find all available processors:
ls /opt/ghidra/Ghidra/Processors/
# Set GHIDRA_HOME if in non-standard location
export GHIDRA_HOME=/path/to/ghidra_11.x_PUBLIC
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh ...
# Set a timeout (seconds)
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh --timeout 300 -s ExportAll.java binary
# Skip analysis for quick export
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh --no-analysis -s ExportSymbols.java binary
Edit the analyzeHeadless script or set:
export MAXMEM=4G
Explicitly specify the processor:
/root/.agents/skills/ghidra/scripts/ghidra-analyze.sh -p "ARM:LE:32:v7" -s ExportAll.java firmware.bin
--timeout and consider --no-analysis for quick scans